Security settings incorporated into policies are rules that administrators configure on a computer or multiple computers for the purpose of protecting resources on a computer or network. The Security Settings extension of the Local Group Policy Object Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage security settings for multiple computers from any computer joined to the domain. Security settings are used as part of your overall security implementation to help secure domain controllers, servers, clients and other resources in your organization.

There are no changes in functionality to the tools and snap-ins used to administer security policy settings on the local computer or throughout the domain using Group Policy.

There were no policy settings added in Windows Server 2012 R2 and Windows 8.1.

The following table lists the Security Settings new for Windows Server 2012 and Windows 8. For detailed descriptions of these and other settings, see
Security Policy Settings Reference.

Security policy

Location

Description

Accounts: Block Microsoft accounts

Windows Settings/Security Settings/Local Policies/Security Options

This policy setting prevents users from adding new Microsoft accounts on this computer.

Interactive logon: Machine account threshold.

Windows Settings/Security Settings/Local Policies/Security Options

The computer lockout policy is enforced only on those computers that have BitLocker enabled for protecting operating system volumes. Please ensure that appropriate recovery password backup policies are enabled.

Interactive logon: Machine inactivity limit.

Windows Settings/Security Settings/Local Policies/Security Options

Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain

The following table provides links to additional resources that can help you understand and implement security policies using security settings in the versions designated in the Applies to list at the top of this page.